1. Overview

RTS ICT third-party service providers Art. 5, 3

The risk assessment shall take into account all the relevant requirements laid down in Regulation (EU) 2022/2554 and applicable sectoral Union legislation. It shall consider, in particular, the impact of the provision of ICT services supporting critical or important functions by ICT third~~party service providers on the financial entity and all the risks posed by the provision of those ICT services supporting critical or important functions by ICT third~~party service providers, including the following:

Summary	Regulation
RTS ICT third-party service providers Art. 5, 3a	(a) operational risks;
RTS ICT third-party service providers Art. 5, 3b	(b) legal risks;
RTS ICT third-party service providers Art. 5, 3c	(c) ICT risks;
RTS ICT third-party service providers Art. 5, 3d	(d) reputational risks;
RTS ICT third-party service providers Art. 5, 3e	(e) risks linked to the protection of confidential or personal data;
RTS ICT third-party service providers Art. 5, 3f	(f) risks linked to the availability of data;
RTS ICT third-party service providers Art. 5, 3g	(g) risks linked to the location where the data is processed and stored;
RTS ICT third-party service providers Art. 5, 3h	(h) risks linked to the location of the ICT third-party service provider;
RTS ICT third-party service providers Art. 5, 3i	(i) ICT concentration risks at entity level.

1.1 References

1.2 Identified Requirements

1.3 Related Standards

2. Identified Requirements

Requirements
Source	Requirement

3. Related Standards

Standards
Source	Requirement

DORA -
DORA